Thanks, aazherelyeu! I misinterpreted the Graylog IPFIX manual ( IPFIX Input — Graylog 4.0.0 documentation ) and originally placed the value codes in the data_type field instead of the descriptions, so I had this:
{
"element_id": 880,
"name": "tenantProtocol",
"data_type": "1"
},
instead of this:
{
"element_id": 880,
"name": "tenantProtocol",
"data_type": "unsigned8"
},
Making that switch cleared up my “org.graylog.integrations.ipfix.IpfixException: Missing information element definitions for private enterprise number 6876” error.
I also had another error message in graylog.log, “Unable to read information element definition file
com.fasterxml.jackson.core.JsonParseException: Unexpected character (’]’ (code 93)): expected a value”, but that was cleared up by removing an extra comma after the last elemet_id block.
Thanks, gsmith. I did try using an IPFIX UDP input, but that didn’t work until I fixed the IPFIX field definitions file.
For anyone that comes across this in the future, here is the VMWare reference I used to build my json file, and the json file itself to interpret the vSphere NetFlow messages:
{
"enterprise_number": 6876,
"information_elements": [
{
"element_id": 880,
"name": "tenantProtocol",
"data_type": "unsigned8"
},
{
"element_id": 881,
"name": "tenantSourceIPv4",
"data_type": "ipv4Address"
},
{
"element_id": 882,
"name": "tenantDestIPv4",
"data_type": "ipv4Address"
},
{
"element_id": 883,
"name": "tenantSourceIPv6",
"data_type": "ipv6Address"
},
{
"element_id": 884,
"name": "tenantDestIPv6",
"data_type": "ipv6Address"
},
{
"element_id": 886,
"name": "tenantSourcePort",
"data_type": "unsigned16"
},
{
"element_id": 887,
"name": "tenantDestPort",
"data_type": "unsigned16"
},
{
"element_id": 888,
"name": "egressInterfaceAttr",
"data_type": "unsigned16"
},
{
"element_id": 889,
"name": "vxlanExportRole",
"data_type": "unsigned8"
},
{
"element_id": 890,
"name": "ingressInterfaceAttr",
"data_type": "unsigned16"
},
]
}